4.6 - Incident Response

Security Incident Response

Evidence Collection

  • Types of Evidence: Collect both physical and digital evidence during a security incident.

  • Chain of Custody: Essential for protecting the integrity of the evidence collected.

    • Definition: Document that outlines every person who comes into contact with the evidence and any changes made to it.

Digital Evidence Integrity

  • Use of Hashes: Implements integrity checks during the collection and analysis of digital evidence.

  • Digital Signatures: Ties back access to digital data to an individual, ensuring accountability.

Physical Evidence Collection

  • Sealed Bags: Store physical evidence in sealed bags and document details of the contents.

Incident Identification and Reporting

  • Incident Assessment: As the first responder, you should determine the nature of the incident by:

    • Checking Logs: Review system logs to identify anomalies.

    • Gathering In-Person Information: Collect testimonies or insights from individuals onsite.

    • Monitoring Data: Collect data from monitoring systems to analyze the event.

  • Reporting the Incident: Notify appropriate channels based on the organization's guidelines, which could include local law enforcement if necessary.

Data Preservation during Investigation

  • Comprehensive Data Collection: Instead of copying individual files, collect a complete copy of the entire storage drive.

    • Bit-by-Bit Copy: The process of taking a byte-for-byte copy to ensure no data is lost, including deleted information still present on the drive.

  • Use of Imaging Devices:

    • Physical Imaging Device: A hardware write blocker must be used to avoid altering any data during the imaging process.

    • Software Imaging Tools: In the absence of a hardware solution, software tools on a bootable USB drive can be used to image the internal drive.

Documentation of the Incident

  • Importance of Documentation: Document everything for both internal reference and potential legal proceedings.

  • Documentation Contents: Include:

    • Summary of events surrounding the incident.

    • Detailed step-by-step account of data acquisition processes.

    • Analysis findings for validation and consistency checks.

    • Conclusions based on gathered evidence and analysis.

Types of Data and Volatility

  • Definition of Volatility: Data can be categorized based on its volatility—how quickly it can change or be lost.

    • Volatile Data: Data that disappears quickly, such as:

    • CPU registers (most volatile, changes thousands of times per second)

    • CPU cache

    • Less Volatile Data: Sticks around longer, examples include:

    • ARP cache (limited time duration: 60 seconds to five minutes)

    • Network topology (rarely changes)

  • Volatility Comparison Chart:

    • Most Volatile: CPU Registers → CPU Cache → Router Tables → Process Tables → Kernel Statistics → Memory Information → Temporary File Systems → Disk Data → Remote Logging Data → Physical Configuration (least volatile) → Backup Tapes (stays for years).

  • Consideration for Data Acquisition: Start with volatile data types to ensure completeness in evidence collection, as this data may change swiftly compared to more static data.

Conclusion

  • Recognizing and categorizing data based on volatility is crucial for efficient evidence collection and analysis during security incident responses. Consider each type of data within your systems and where they fit into the volatility spectrum during an investigation.